Michael Gracie

Quick and dirty mcrypt usage

I don’t know where I discovered the original idea, but in messing around with a PHP app I found the need to encrypt session cookies. Here’s how it was done, with the mcrypt library:

//encrypt session cookie
function encryptUserCookie($value)
{
if(!$value) {
return false;
}
$key = SESSION_SALT;
$text = $value;
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $text, MCRYPT_MODE_ECB, $iv);
return trim(base64_encode($crypttext)); //encode for cookie
}


Decoding the cookie was much the same…

//decrypt session cookie
function decryptUserCookie($value)
{
if(!$value) {
return false;
}
$key = SESSION_SALT;
$crypttext = base64_decode($value); //decode cookie
$iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
$iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
$decrypttext = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $crypttext, MCRYPT_MODE_ECB, $iv);
return trim($decrypttext);
}


SESSION_SALT was of course something I called from a variables file.

These snippets were used in an online directory system, where I didn’t want attendees inspecting the cookies for the purpose of setting up multiple listings under the same login.

Simple stuff, but hope it is useful to someone.

Bruce Schneier, on learning that some health care works stored encrypted information on a USB memory device, along with the key to unlocking the encryption itself:

It’s smart to encrypt USB memory devices, but it’s stupid to attach the encryption key to the device….I’m sure they were so proud that they chose a secure encryption algorithm.

For those just joining, the above described action is the approximately equivalent to this…

Editor’s note: the picture above is neither a good Photoshopping job nor an accurate depiction of the author’s rear bumper.

After the Veterans Administration wrote the script for downplaying risk, when tens of millions of data records were stolen out of an employee’s home, the Bush Administration issued an edict – encrypt all data on government laptops.

Good idea, but nobody’s listening. Wonder what the TSA’s “100,000″ number will grow to?

I wish I could say I am shocked and bewildered that the recent data theft out of the State of Ohio was more than 15 times worse than Ted Strickland & Co. made it out to be when the physical drive (?) was stolen out of an employee’s car, but alas I cannot. I wish I had a more sarcastic way to put it too, but Carlo over at Techdirt did a pretty good job of that. Meanwhile, I’ve recently heard that sarcasm is symptomatic of passive-aggressive behaviour, and since an old girlfriend once told me I was the only man she ever dated that wasn’t “PA,” I’m going to respect her opinion and refrain from sarcasm from this day forward.

Ok, maybe not…

It’s not as though Ohio didn’t see this coming – it’s been going on in the Buckeye state for some time. Then again, does anyone in bureaucracies ever know what is actually going on? If they did, would they even care? Or are they just so attuned to stretching the truth that they just don’t know how to shut up, even in the face of stone cold evidence waiting to rear it’s ugly head?

No matter. When the “powers that be” come out with statements like this:

“He’s actually in line with our conclusions that it would be very difficult for someone without special knowledge and understanding to actually access that piece of information.”

…you know someone is speaking for someone else right before they get handed their pink slip. “Very difficult?” “Special knowledge?” The spokesperson is either completely insane or oblivious to the fact that there are third world countries full of brilliant mathemeticians, since cast into the shadows of unemployment and looking feverishly for work on internet message boards.

The same types of folks create stuff like this:
            

Add this:
               

And wind up with this:
    

And that’s for a few hundred bucks, based on some handwritten notes a moron like me scratches on the back of an envelope over three Blue Moon drafts, and faxes over to him at his office at the local community college. I use such strokes of amatuerism to create graphs on a very stupid, highly unsuccessful website I built for a few thousand bucks more.

If I can rally such idiots to produce algorithms at a price equal to a steak dinner in New York proper, for something I will never see a return on my investment for, you can be assured that there is someone out there that can crack the encryption on a device left in the back of a government clerk’s car that contains social security and bank account numbers on a million people, just for throwing in a bottle of 1999 Chateau Pichon Lalande.

UPDATE: None of this matters anymore – a scapegoat has been caught, tried, and hung. That’s how it works.

The talk is directed at Bitlocker, the full disk encryption in Windows Vista, but it applies to all similar methodologies.

It’s simple. Fools don’t have physically secure, unencrypted backups. Fools think everything should run like lightning, regardless of the strain on the system. And, of course, fools lose passwords.

Doesn’t sound foolproof.

Might I suggest using virtual disk encryption, like that offered by PGP. It is slightly more cumbersome but puts less strain on the system and the “product” is portable – better design for fools (like me).

Now that is saying something, since it is presently January 6th. No, I’m not the one saying it – some security researchers are, and those researchers are implying it could be the biggest bug of the whole year (but I think that is only because they know Acrobat Reader has a huge install base, and most people are too dumb to bother implementing a patch when it does arrive).

Adobe has been on a decent streak as of late, so no better time to try and kick them down. The bright side of this is that it is free software we’re dealing with, so at least you didn’t pay to have your computer screwed up.

Note: Spamroll wins, however – a new category has been started – Software Bugs! Report quirks at your leisure.

UPDATE: Speaking of free software in need of patching…OpenOffice. I need to do it too, OpenOffice being a great tool for parsing small database tables when readying for import – Excel for Mac does a crappy job at it.

UPDATE 2: Since I’m on a free software binge this morning (while the dog pesters me for a walk), Dr. Dobbs notes that the free TrueCrypt encryption software is a hell of a way to thwart phishers. Check it out.

It is the last day of 2006. What better time for predictions…

From the experts:

• The security threats that will bind us in 2007

• If you are more inclined to make (or lose) money next year, here’s “the take” from the Washington Post

Spamroll says:

• Spam will not end in late January (and Bill Gates will remain mum thereafter)

• Some spyware companies will be getting sued again by February, while the rest change their company name
• The government will quit buying consumer data in March, after determining that who is buying TMX Elmo is in no way correlated with who has a tendency to be a terrorist
• Everyone will be backing up their hard drives by April, but only if external hard drives are free
• They’ll be encrypting them by May, because everyone will be running hacked versions of Vista
• We’ll all take the summer off, since phishers already do
• Back-to-school will piss off millions of children, and not much else
• October will be much like September
• Telcos will implement IPv6 for Thanksgiving, and everyone on the internet will know who everyone else is, once and for all (with the exception of MacBook Pro users, which are already being tracked via heatsink)
• We’ll get a ton of self-serving predictions for 2008, a week early at Christmas

Happy New Year!

UPDATE: Sarcasm does work – someone is thinking about backup.